When you get FTP access to your DJI, you can push files to the aircraft using normal FTP commands (to a limited subset of directories due to /system being read only).

But, downloading is another matter. DJI modified the FTPD that is built into their firmware, to stop people getting access to the files. (and hide the fact that their aircraft is using GPL software in an unauthorised manner).

A number of people have already solved how to upload/download from an aircraft. There is even dumldore available to backup firmware, or push any version of firmware to your aircraft using these methods. But, this is a windows app. With a little help from others, I am trying to document a process to backup firmware that is already on an aircraft.

Install your toolchain as per the instructions here. You only need to do this once… but check the instructions to see if there are any new tools that you may need.

If this is your first time using duml, you will need to checkout the code from git.

cd ~/Documents/
git clone https://github.com/MAVProxyUser/DJI_ftpd_aes_unscramble.git
cd DJI_ftpd_aes_unscramble

If you have done this before and you want to make sure you have the latest code, you just need to sync to the most recent version

cd ~/Documents/DJI_ftpd_aes_unscramble
git pull

OK. What we know so far… We already know the AES key, and this is used in both of the methods below

Hostile (aka MavProxyUser) created this method that is published in Git here. However, the file that comes back is not 100% accurate according to the issue published here. The first 16 bytes are wrong.

I was talking to Jezzab in #general about this - He gave me an alternate command

openssl enc -d -nosalt -in *.fw.sig -aes-128-cbc -K 746869732d6165732d6b657900000000 -iv 00000000000000000000000000000000 > output.fw.sig.decrypt

But, the first 16 bytes in the resulting decrypted file are still not correct. We have to assume that DJI are meddling with the original file content, to try and screw with us. (Shock horror).

This is where jezzab has done some great work

then on the first 16 bytes you need to do this:
// Descramble first 16 bytes
for (int i = 0x00; i < 0x0A; i++)
{
  array[i] ^= (byte)(0x30 + i);
}
for (int i = 0x0A; i < 0x10; i++)
{
  array[i] ^= (byte)(0x57 + i);
}

So. Part one of this solution - some quick python code (with python help from a mate “Carneeki”) …

#!/usr/bin/env python

import array

input = open('openssl.fw.sig.decrypt', 'rb')
input.seek(0)
arr = array.array('B')
arr.fromfile(input, 16)

for i in range(10):
	arr[i] ^= 0x30 + i

for i in range(10,16):
	arr[i] ^= 0x57 + i

output = open('output','w+')
arr.tofile(output)
output.write(input.read())

: Either update Hostile's script, or craft a small script to tack onto the back of the openssl command suggested by jezzab or both…